This is such a simple thing I'm almost ashamed to bring it up...but I can't seem to make the frickin' thing work!

I have a folder on my Windows server named Forms. I want to give everyone on the domain read-only access to the folder and everything underneath, however I have a subset of everyone (Forms Editors) that I want to have full access rights. Because it is a shared folder, I set the group "Authenticated Users" to have read only access then set the group "Forms Editors" to have full control. However, the result is the Autheticated Users read-only settings take precedence and I can't seem to figure out a way to get Forms Editors to have full access. I know it's a precedence issue, but I just don't know to make it work.

When it comes to permissions, it is least restrictive for like permissions (i.e. NTFS permissions OR Share permission) but most restrictive between both (NTFS AND Share), unless a Deny is explicitly set.

Attached is an example of what I mean. Do you have anything in the "Deny" column? If you explicitly deny access to full control or modify to authenticated users, any authenticated user, including anyone in your other group you created will not be able to modify any of the contents, even though you set them as full control. Remember, least restrictive unless explicitly denied.

NTFS rights look good. As Casi says, make sure your share permission is read/write for everyone, or at least for Form Editors. It is usually safe to set share permissions to full for everyone at all times, and use NTFS permissions for fine tuning the access rights. Share permissions are more useful for FAT drives or optic drives, where NTFS permissions cannot apply.

If the effective permissions show up correct, then the next step is verifying that the user that is trying to reach the resources is in fact a member of the group that has the permissions. Is ther any chance that this is a local group versus a domain group issue?

Also, for troubleshooting this, you might want to make use of the security event log on the server.

It's really weird! I can see the effective permissions are correct, but when a Forms Editors user opens a document in Word, it still comes up as Read Only in the title bar. There is no password protection in the document. It's like it's ignoring the Forms Editors group altogether.

1. Share permissions. What does that look like? Is everyone set to full there?

2. How was the Forms Editor group created? Distribution? Security? Universal?

3. Have you tried copying a file to that folder? Delete a file in that folder? This may narrow it down a little. So far, you're saying that when someone opens a Word Document, it's showing read only. There are a few reasons that could happen, and not all of them pertain to NTFS permissions.

The group "Forms Editors" contains two other AD groups, "Administrative Assistants" and "Executives". Just for jollies, I removed "Forms Editors" from the Forms folder and added "Administrative Assistants" and "Executives" as separate entries each with Full Control in the ACL. Now it works as it should.

I thought an AD group can consist of individual users and other groups, but apparently I'm wrong unless there's a "but" in there somewhere.